Google Widevine (L3) Cracked – What to expect?

The New Year started with yet another reminder that security should not be taken for granted, even for the most established products and services.

At Bitmovin, security is top of mind for us even in cases where we’re not directly involved or responsible for the vulnerabilities.

We consider it our responsibility to do whatever we can, whether it’s to educate our customers or recommend best practices whenever we can so our customers can stay ahead of these issues.

The average user has many ways to watch their favorite piece of content today. We know Content Security is a top focus for studios and content owners as they ramp up investment to produce premium, box office hits or for introducing absolutely niche content to new markets. It becomes that much more important to protect precious content revenue from piracy and illegal distribution while maintaining a seamless and enjoyable experience for well-meaning paying subscribers.

However, as with all things security related, it’s only as good until someone figures a way around it. Last week, a British security researcher announced on a Twitter post that he had successfully cracked Widevine L3 DRM and could successfully recover the encryption key to decrypt content and play it back (albeit with a “few evenings” of effort and relevant expertise).

What was the vulnerability and who is affected?

Google Widevine provides 3 levels of data protection (L1, L2, L3) and L3 was already known to be less secure compared to L1 and L2 implementations by nature of design. You can read more about Widevine security levels here.

L3 – content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn’t support a TEE

The reported vulnerability only affects Widevine L3 which is often used for lower quality video (below 720p or HD quality).

Widevine L3 is used by default in the following environments. Therefore, the vulnerability affects:

Browsers on Mac and PC that use Widevine software CDM i.e. Chrome, Firefox.

Devices that do not support TEE, usually older or low cost models from manufacturers that skimp device certification. Unfortunately, a full list is not officially available. But, here’s some helpful articles from Digit and AndroidAuthority.

What are the mitigation steps?

At the moment, the options are quite limited and Google is yet to reveal more public information. As we learn more, we will update this post with more information. In the meantime, we recommend the following measures to help you safeguard your content:

You can choose to block content on browsers and devices that currently depend on Widevine decryption and wait for Google to apply their patch and unblock content later on.

For Mobile and OTT apps, you can enforce L1 policy by checking what DRM level is supported by the underlying device before sending content. Unfortunately, this is not yet supported on desktop as all decryption happens within untrusted environments. So, you risk losing playback on unsupported devices.

If you cannot afford to block content, take steps to apply more frequent key rotation in your packager. This makes it harder for the hacker but not entirely impossible but may incur additional licensing costs.

You can also contact your DRM Provider to see if they can provide any additional recommendations.

What to expect next?

Google is expected to release a fix soon. We will update this post as we receive news about the fix. Hopefully, no additional changes will be required once Google patches a fix as it should automatically get updated within the browser or CDM.

What else can be done to safeguard against these in the future?

Check your DRM policies and enforce the correct setting always. Work with your Player and DRM experts to plan for the future

Check out CDN tokens as an additional layer of security, talk to your CDN expert to learn more